Add support for multiple alias and remove duplication of SSL certificates (#4472)

2019-08-26 10:58:44 -04:00 · 2019-08-26 10:58:44 -04:00 · 8def5ef7ca
commit 8def5ef7ca
parent 4847bb02f0
19 changed files with 190 additions and 101 deletions
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@ -401,8 +401,11 @@ func (n *NGINXController) getConfiguration(ingresses []*ingress.Ingress) (sets.S
 		if !hosts.Has(server.Hostname) {
 			hosts.Insert(server.Hostname)
 		}
-		if server.Alias != "" && !hosts.Has(server.Alias) {
-			hosts.Insert(server.Alias)
+
+		for _, alias := range server.Aliases {
+			if !hosts.Has(alias) {
+				hosts.Insert(alias)
+			}
 		}

 		if !server.SSLPassthrough {
@ -931,7 +934,7 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 	du *ingress.Backend) map[string]*ingress.Server {

 	servers := make(map[string]*ingress.Server, len(data))
-	aliases := make(map[string]string, len(data))
+	allAliases := make(map[string][]string, len(data))

 	bdef := n.store.GetDefaultBackend()
 	ngxProxy := proxy.Config{
@ -1061,16 +1064,13 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 				host = defServerName
 			}

-			if anns.Alias != "" {
-				if servers[host].Alias == "" {
-					servers[host].Alias = anns.Alias
-					if _, ok := aliases["Alias"]; !ok {
-						aliases["Alias"] = host
-					}
-				} else {
-					klog.Warningf("Aliases already configured for server %q, skipping (Ingress %q)",
-						host, ingKey)
+			if len(servers[host].Aliases) == 0 {
+				servers[host].Aliases = anns.Aliases
+				if _, ok := allAliases[host]; !ok {
+					allAliases[host] = anns.Aliases
 				}
+			} else {
+				klog.Warningf("Aliases already configured for server %q, skipping (Ingress %q)", host, ingKey)
 			}

 			if anns.ServerSnippet != "" {
@ -1133,10 +1133,12 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 		}
 	}

-	for alias, host := range aliases {
-		if _, ok := servers[alias]; ok {
-			klog.Warningf("Conflicting hostname (%v) and alias (%v). Removing alias to avoid conflicts.", host, alias)
-			servers[host].Alias = ""
+	for host, hostAliases := range allAliases {
+		for index, alias := range hostAliases {
+			if _, ok := servers[alias]; ok {
+				klog.Warningf("Conflicting hostname (%v) and alias (%v). Removing alias to avoid conflicts.", host, alias)
+				servers[host].Aliases = append(servers[host].Aliases[:index], servers[host].Aliases[index+1:]...)
+			}
 		}
 	}

--- a/internal/ingress/controller/nginx.go
+++ b/internal/ingress/controller/nginx.go
@ -991,30 +991,38 @@ func configureBackends(rawBackends []*ingress.Backend) error {
 	return nil
 }

+type sslConfiguration struct {
+	Certificates map[string]string `json:"certificates"`
+	Servers      map[string]string `json:"servers"`
+}
+
 // configureCertificates JSON encodes certificates and POSTs it to an internal HTTP endpoint
 // that is handled by Lua
 func configureCertificates(rawServers []*ingress.Server) error {
-	servers := make([]*ingress.Server, 0)
+	configuration := &sslConfiguration{
+		Certificates: map[string]string{},
+		Servers:      map[string]string{},
+	}

-	for _, server := range rawServers {
-		if server.SSLCert == nil {
+	for _, rawServer := range rawServers {
+		if rawServer.SSLCert == nil {
 			continue
 		}

-		servers = append(servers, &ingress.Server{
-			Hostname: server.Hostname,
-			SSLCert: &ingress.SSLCert{
-				PemCertKey: server.SSLCert.PemCertKey,
-			},
-		})
+		uid := rawServer.SSLCert.UID

-		if server.Alias != "" && ssl.IsValidHostname(server.Alias, server.SSLCert.CN) {
-			servers = append(servers, &ingress.Server{
-				Hostname: server.Alias,
-				SSLCert: &ingress.SSLCert{
-					PemCertKey: server.SSLCert.PemCertKey,
-				},
-			})
+		if _, ok := configuration.Certificates[uid]; !ok {
+			configuration.Certificates[uid] = rawServer.SSLCert.PemCertKey
+		}
+
+		configuration.Servers[rawServer.Hostname] = uid
+
+		for _, alias := range rawServer.Aliases {
+			if !ssl.IsValidHostname(alias, rawServer.SSLCert.CN) {
+				continue
+			}
+
+			configuration.Servers[alias] = uid
 		}
 	}

@ -1024,15 +1032,14 @@ func configureCertificates(rawServers []*ingress.Server) error {
 			continue
 		}

-		servers = append(servers, &ingress.Server{
-			Hostname: redirect.From,
-			SSLCert: &ingress.SSLCert{
-				PemCertKey: redirect.SSLCert.PemCertKey,
-			},
-		})
+		configuration.Servers[redirect.From] = redirect.SSLCert.UID
+
+		if _, ok := configuration.Certificates[redirect.SSLCert.UID]; !ok {
+			configuration.Certificates[redirect.SSLCert.UID] = redirect.SSLCert.PemCertKey
+		}
 	}

-	statusCode, _, err := nginx.NewPostStatusRequest("/configuration/servers", "application/json", servers)
+	statusCode, _, err := nginx.NewPostStatusRequest("/configuration/servers", "application/json", configuration)
 	if err != nil {
 		return err
 	}
--- a/internal/ingress/controller/nginx_test.go
+++ b/internal/ingress/controller/nginx_test.go
@ -185,7 +185,7 @@ func TestConfigureDynamically(t *testing.T) {
 				}
 				body := string(b)

-				endpointStats[r.URL.Path] += 1
+				endpointStats[r.URL.Path]++

 				switch r.URL.Path {
 				case "/configuration/backends":
@ -206,7 +206,7 @@ func TestConfigureDynamically(t *testing.T) {
 					}
 				case "/configuration/servers":
 					{
-						if !strings.Contains(body, "[]") {
+						if !strings.Contains(body, `{"certificates":{},"servers":{}}`) {
 							t.Errorf("controllerPodsCount should be present in JSON content: %v", body)
 						}
 					}
@ -337,6 +337,7 @@ func TestConfigureCertificates(t *testing.T) {
 		Hostname: "myapp.fake",
 		SSLCert: &ingress.SSLCert{
 			PemCertKey: "fake-cert",
+			UID:        "c89a5111-b2e9-4af8-be19-c2a4a924c256",
 		},
 	}}

@ -354,18 +355,18 @@ func TestConfigureCertificates(t *testing.T) {
 				if err != nil && err != io.EOF {
 					t.Fatal(err)
 				}
-				var postedServers []ingress.Server
-				err = jsoniter.ConfigCompatibleWithStandardLibrary.Unmarshal(b, &postedServers)
+				var conf sslConfiguration
+				err = jsoniter.ConfigCompatibleWithStandardLibrary.Unmarshal(b, &conf)
 				if err != nil {
 					t.Fatal(err)
 				}

-				if len(servers) != len(postedServers) {
+				if len(servers) != len(conf.Servers) {
 					t.Errorf("Expected servers to be the same length as the posted servers")
 				}

-				for i, server := range servers {
-					if !server.Equal(&postedServers[i]) {
+				for _, server := range servers {
+					if server.SSLCert.UID != conf.Servers[server.Hostname] {
 						t.Errorf("Expected servers and posted servers to be equal")
 					}
 				}
--- a/internal/ingress/controller/store/backend_ssl.go
+++ b/internal/ingress/controller/store/backend_ssl.go
@ -99,7 +99,7 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error
 			return nil, fmt.Errorf("key 'tls.key' missing from Secret %q", secretName)
 		}

-		sslCert, err = ssl.CreateSSLCert(cert, key)
+		sslCert, err = ssl.CreateSSLCert(cert, key, string(secret.UID))
 		if err != nil {
 			return nil, fmt.Errorf("unexpected error creating SSL Cert: %v", err)
 		}
--- a/internal/ingress/controller/template/configmap.go
+++ b/internal/ingress/controller/template/configmap.go
@ -70,6 +70,7 @@ var (
 		"balancer_ewma":                 10,
 		"balancer_ewma_last_touched_at": 10,
 		"balancer_ewma_locks":           1,
+		"certificate_servers":           5,
 	}
 )